Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Conducting a Privacy Audit

By Michael L. Whitener
June 29, 2012

A glance at the headlines reveals that data privacy breaches are increasingly common, and the consequences to corporations ' in terms of reputational damage, potential liability and costs to remedy ' are increasingly dire.

To avoid those consequences, any corporate entity that collects, uses or transfers personal information must take steps to ensure it is complying with legal requirements for maintaining data privacy and ' equally important ' living up to the trust of its employees, customers, partners and suppliers.

How can that be done?

A privacy audit provides a means of benchmarking corporate privacy practices against what the law requires and what industry best practices demand.

So what exactly does a privacy audit entail?

As explained below, it need not be a daunting or expensive undertaking. With the proper tools, support from corporate management, a motivated audit team and a few guidelines, a privacy audit can be conducted using primarily internal resources and with little or no business disruption. If performed properly, a privacy audit will result in a clear understanding of an organization's personal data flows and a comprehensive information security/privacy program that will protect personal data from unlawful collection, handling and disclosure.

Types of Privacy Audits

Broadly speaking, there are two types of privacy audits: an “adequacy” audit and a “compliance” audit.

Adequacy Audit

An adequacy audit is aimed at: 1) determining whether an organization's data privacy policies are adequate to address the requirements of all applicable data protection laws and regulations, domestic and international; and 2) making sure they apply to all data processing that an organization actually conducts.

This type of audit involves not only a review of all company policies, procedures, codes of practice and guidelines that affect the handling of personal data within the company and in dealing with third parties such as vendors and suppliers, but also requires an understanding and mapping of data flows across the enterprise.

An adequacy audit may well reveal serious gaps in an organization's data privacy policies, given the types of personal data being handled and the ways it is being stored, transferred and otherwise processed. In that case, while an organization could proceed right away with conducting a compliance audit, the better practice, in my view, is to first remedy the policies and procedures found wanting before continuing to the compliance audit.

Why?

The answer: Because the purpose of a compliance audit is to determine whether a company is hitting its targets in terms of the objectives established by its privacy program. If those targets are non-existent, or poorly placed, it will be a false victory to declare that they have been achieved.

Compliance Audit

The compliance audit sets a higher hurdle than the adequacy audit: to determine whether an organization is abiding by the policies and procedures identified during (and perhaps improved as a result of) the adequacy audit. It requires an investigation of how personal data is handled in practice within the various business units, across departments and when dealing with third parties.

A comprehensive compliance audit should also examine such factors as whether the organization offers data privacy compliance training, how data privacy policies are disseminated to employees and how complaints of policy violations are handled. The depth of the compliance audit will depend on perceived risks to the enterprise of violations and data breaches.

Tools for a Privacy Audit

Two essential tools are part of a privacy audit toolkit: 1) questionnaires and follow-up interviews aimed at mapping data flows and processing; and 2) a data privacy table or matrix that allows the tabulation of the results of the audit.

Questionnaires and Interviews

For the adequacy audit and the compliance audit, drafting a questionnaire to be completed by the various business units that handle personal data is a critical step. The questionnaire should seek answers to questions such as the following:

  • What are the purposes for which personal data is being collected? For example: customer administration, employee administration, advertising and marketing.
  • What individual's personal data is being processed? For example: customers, employees, suppliers, consultants.
  • What types of personal data is being collected? For example: names, addresses, telephone numbers, occupational details, Social Security numbers or identification numbers and financial information. Particular attention should be paid to any personal data that might be considered “sensitive.” In the European Union, sensitive data includes that pertaining to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health matters and sexual orientation.
  • How is personal data collected? For example: hard copy form, online, by telephone or from third parties.
  • Is the consent of the individual obtained? If so, by what means, and at what point in the collection process?
  • How relevant is the personal data for the purposes collected? Would anonymized personal data be equally relevant?
  • What steps are taken to ensure that the accuracy of personal data is maintained during the period of retention?
  • How long is personal data retained? Is this retention period really necessary ' e.g., legally mandated? Or is personal data being held for longer than required to meet legal obligations or for reasonable business purposes?
  • Where and how is personal data stored?
  • What technical and organizational security measures are taken to protect personal data against unauthorized access, damage or erasure? For example: encryption, use of secure passwords, contingency plans and training.
  • Is the personal data disclosed to any third parties? If so, for what purposes? What additional security measures are taken to protect disclosed personal data from unauthorized access, damage or disclosure ' e.g., written contracts with third parties that impose specific data security and privacy obligations?
  • Is personal data transferred outside the country in which it is collected? If so, what consents are obtained and what additional security measures are taken?
  • Are there procedures in place to allow individuals to access and control use of their personal data? For example: opportunities to correct inaccurate personal data, delete irrelevant personal data, and prevent their personal data from being used for marketing purposes.
  • How is personal data that is no longer required disposed of? Does the method of disposal/destruction ensure that the personal data cannot be accessed again?

Answers to the questionnaire should be collected from each of the business units that may handle personal data ' typically including human resources, information technology, marketing and customer sales/support. Each of the department heads should be required to ensure that the questionnaire is completed fully and accurately.

(Editor's note: For more on this topic, see, “Litigation Support for Information Governance Protection of Personal Identifiable Information Is Not a Matter to Be Taken Lightly ' Make a Plan,” in the May 2012 edition of e-Commerce Law & Strategy, at http://bit.ly/PJtOuL, and for more on European Union standards, see, “New European Data Protection Regulation Draft,” in the April 2012 edition of e-Commerce Law & Strategy, http://bit.ly/HVkiAS.)

Following Up

Inevitably, responses to the questionnaire will raise additional questions, which is where the follow-up interview comes in. Personal interviews with executives and employees responsible for handling personal data within an organization allow for a deeper dive into the whys and hows of personal data processing. For example, the questionnaire may reveal that the human resources department is retaining employee information for years after an employee has left the company, but cannot explain the rationale for such retention. Well, the rationale can be explored during a follow-up interview.

The importance of the questionnaire and follow-up interview in determining compliance with data privacy policies should be obvious, but the responses are equally important in determining the adequacy of the policies themselves. Too many companies put privacy policies in place with only a dim understanding of how applicable they are to actual enterprise data flows. The questionnaire/interview responses should be geared toward making sure there is alignment between policies, and actual personal data collection and handling.

Privacy Adequacy and Compliance Matrix

The other essential privacy audit tool is a matrix that organizes the results of the audit questionnaire, and the review of an organization's privacy policies and procedures. The format for this matrix I have found most useful is a table with the following headings:

  • Privacy principles. State the specific privacy principle (likely required by law) the organization is seeking to achieve.
  • Description. Describes the privacy principle in some detail.
  • Documented policy. References the organization policy (with citation to a specific section) that is intended to satisfy the privacy principle. If no documented policy exists, then that should be noted.
  • Compliance with principle. Describes whether the organization is complying with the principle and the related organization policy.
  • Gaps/weaknesses. Any failures of the organization to abide by the privacy principle and related documented policy can be noted.
  • Notes. Indicate any follow-up tasks.

In deciding what privacy principles should be achieved, an organization need not start from scratch. There are a number of templates that can be reviewed and borrowed from. I have found the privacy risk assessment tool developed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, based on generally accepted privacy principles, to be especially helpful for this purpose. In the European Union, some national data protection authorities have issued their own auditing guidelines. For instance, the Netherlands has published a privacy audit framework to guide the auditing process.

While an audit report should also contain a narrative of audit results and conclusions, the adequacy/compliance matrix provides a
convenient method for compiling the results of the privacy audit in easily understandable form and for ready reference. Equally important, the matrix allows for ready apples-to-apples benchmarking of an organization's progress in satisfying relevant data privacy requirements from year to year.

Procedures

Assembling an Audit Team

A threshold question when preparing for a privacy audit is whether the audit will be conducted internally, by an outside audit team, or using some mixture of internal and external resources.

Several advantages of conducting a privacy audit using existing corporate resources can be easily identified, including the internal audit team, if there is one:

  • It is less costly;
  • Employees will have a better understanding of the corporate organization and activities than outsiders would have; and
  • The learning process of conducting an internal privacy audit will prove useful for corporate data privacy awareness and post-audit monitoring purposes.

A few disadvantages of using an internal audit team should be noted, however:

  • Possibly less objective and less rigorous than an independent, third-party audit team;
  • Audit results may carry less weight externally, e.g., with legal authorities if a data breach does occur; and
  • An internal audit team, unlike a “hired guns” team, will not readily be able to benchmark audit results against results of audits done in other similarly placed organizations.

In my opinion, the solution that best combines audit depth and comprehensiveness with cost-efficiency is an in-house audit team (including representatives from legal, finance, HR, IT and marketing) under the guidance of an outside privacy audit professional. That way, an organization reaps the advantages of internal institutional knowledge along with the objectivity and experience of someone with privacy audit experience.

Setting the Tone at the Top

Once a decision is made of who will compose an audit team, and an audit start date is agreed on, it is important to consider the “messaging” of the audit undertaking. As with all corporate legal compliance initiatives, the so-called tone at the top is critical.

One tried-and-true strategy is for the CEO to distribute a memorandum describing why a privacy audit is being conducted, who will be leading the effort and what participation will be required from business units. A memorandum with the CEO's imprimatur will help overcome any reluctance of staff to set aside their usual duties to support the audit. If appropriate, the memorandum should note that the board of directors is fully behind the audit.

The Aftermath

Once the privacy audit is completed, an audit report should be prepared. The audit report will include the privacy adequacy and compliance matrix discussed earlier in this article, and which will incorporate the results of the questionnaire and follow-up interviews, as well as the review of the organization's policies and procedures. The audit report should also include a narrative that addresses such factors as:

  • The methodology of the privacy audit;
  • Who was responsible for the audit;
  • Conclusions, including any identified privacy gaps and weaknesses; and
  • Recommended remedial actions, including employee training.

For purposes of closing any gaps in existing organization policies and procedures, one option would be to create a new information security/data privacy program. There may be merit to such an approach, depending on how up-to-date existing policies are and how much the organization's data processing activities have changed since the policies were put in place.

However, the organization may also find that it already has many elements necessary for a robust, up-to-date data protection program ' an acceptable use policy here, an online privacy policy there ' and can knit these disparate pieces together into a comprehensive program that requires only filling in a few gaps. Related policies can be grouped under an umbrella policy that functions as a data privacy mission statement. What is crucial is that the audit report be the basis for action, whether that action is drafting or revising privacy policies, or taking steps to ensure compliance with policies already in place.

Conclusion

In the data privacy sphere, as in e-commerce, the one constant is change. Privacy issues are getting increasingly high priority on political and social agendas as the ease with which personal data can be collected, stored, marketed and transferred globally has expanded, and the term big data has entered the vocabulary and the vernacular. One consequence has been more stringent data protection requirements and more draconian penalties for violations ' witness the European Union's proposal to impose penalties for violating the EU Data Protection Directive of up to 2% of a company's global annual turnover.

In this environment, the protection of personal data is paramount. Conducting a data privacy audit allows a real-time assessment of how well an organization is living up to its data protection legal obligations as well as how well it is meeting the expectations of its customers, its employees and others. Such an audit simply makes good business sense and need not drain corporate resources, financial or otherwise.


Michael L. Whitener is lead counsel, technology & communications, at Clearspire Law (www.clearspire.com). He is a certified information privacy professional (CIPP/US and CIPP/G). Whitener can be reached at [email protected].

A glance at the headlines reveals that data privacy breaches are increasingly common, and the consequences to corporations ' in terms of reputational damage, potential liability and costs to remedy ' are increasingly dire.

To avoid those consequences, any corporate entity that collects, uses or transfers personal information must take steps to ensure it is complying with legal requirements for maintaining data privacy and ' equally important ' living up to the trust of its employees, customers, partners and suppliers.

How can that be done?

A privacy audit provides a means of benchmarking corporate privacy practices against what the law requires and what industry best practices demand.

So what exactly does a privacy audit entail?

As explained below, it need not be a daunting or expensive undertaking. With the proper tools, support from corporate management, a motivated audit team and a few guidelines, a privacy audit can be conducted using primarily internal resources and with little or no business disruption. If performed properly, a privacy audit will result in a clear understanding of an organization's personal data flows and a comprehensive information security/privacy program that will protect personal data from unlawful collection, handling and disclosure.

Types of Privacy Audits

Broadly speaking, there are two types of privacy audits: an “adequacy” audit and a “compliance” audit.

Adequacy Audit

An adequacy audit is aimed at: 1) determining whether an organization's data privacy policies are adequate to address the requirements of all applicable data protection laws and regulations, domestic and international; and 2) making sure they apply to all data processing that an organization actually conducts.

This type of audit involves not only a review of all company policies, procedures, codes of practice and guidelines that affect the handling of personal data within the company and in dealing with third parties such as vendors and suppliers, but also requires an understanding and mapping of data flows across the enterprise.

An adequacy audit may well reveal serious gaps in an organization's data privacy policies, given the types of personal data being handled and the ways it is being stored, transferred and otherwise processed. In that case, while an organization could proceed right away with conducting a compliance audit, the better practice, in my view, is to first remedy the policies and procedures found wanting before continuing to the compliance audit.

Why?

The answer: Because the purpose of a compliance audit is to determine whether a company is hitting its targets in terms of the objectives established by its privacy program. If those targets are non-existent, or poorly placed, it will be a false victory to declare that they have been achieved.

Compliance Audit

The compliance audit sets a higher hurdle than the adequacy audit: to determine whether an organization is abiding by the policies and procedures identified during (and perhaps improved as a result of) the adequacy audit. It requires an investigation of how personal data is handled in practice within the various business units, across departments and when dealing with third parties.

A comprehensive compliance audit should also examine such factors as whether the organization offers data privacy compliance training, how data privacy policies are disseminated to employees and how complaints of policy violations are handled. The depth of the compliance audit will depend on perceived risks to the enterprise of violations and data breaches.

Tools for a Privacy Audit

Two essential tools are part of a privacy audit toolkit: 1) questionnaires and follow-up interviews aimed at mapping data flows and processing; and 2) a data privacy table or matrix that allows the tabulation of the results of the audit.

Questionnaires and Interviews

For the adequacy audit and the compliance audit, drafting a questionnaire to be completed by the various business units that handle personal data is a critical step. The questionnaire should seek answers to questions such as the following:

  • What are the purposes for which personal data is being collected? For example: customer administration, employee administration, advertising and marketing.
  • What individual's personal data is being processed? For example: customers, employees, suppliers, consultants.
  • What types of personal data is being collected? For example: names, addresses, telephone numbers, occupational details, Social Security numbers or identification numbers and financial information. Particular attention should be paid to any personal data that might be considered “sensitive.” In the European Union, sensitive data includes that pertaining to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health matters and sexual orientation.
  • How is personal data collected? For example: hard copy form, online, by telephone or from third parties.
  • Is the consent of the individual obtained? If so, by what means, and at what point in the collection process?
  • How relevant is the personal data for the purposes collected? Would anonymized personal data be equally relevant?
  • What steps are taken to ensure that the accuracy of personal data is maintained during the period of retention?
  • How long is personal data retained? Is this retention period really necessary ' e.g., legally mandated? Or is personal data being held for longer than required to meet legal obligations or for reasonable business purposes?
  • Where and how is personal data stored?
  • What technical and organizational security measures are taken to protect personal data against unauthorized access, damage or erasure? For example: encryption, use of secure passwords, contingency plans and training.
  • Is the personal data disclosed to any third parties? If so, for what purposes? What additional security measures are taken to protect disclosed personal data from unauthorized access, damage or disclosure ' e.g., written contracts with third parties that impose specific data security and privacy obligations?
  • Is personal data transferred outside the country in which it is collected? If so, what consents are obtained and what additional security measures are taken?
  • Are there procedures in place to allow individuals to access and control use of their personal data? For example: opportunities to correct inaccurate personal data, delete irrelevant personal data, and prevent their personal data from being used for marketing purposes.
  • How is personal data that is no longer required disposed of? Does the method of disposal/destruction ensure that the personal data cannot be accessed again?

Answers to the questionnaire should be collected from each of the business units that may handle personal data ' typically including human resources, information technology, marketing and customer sales/support. Each of the department heads should be required to ensure that the questionnaire is completed fully and accurately.

(Editor's note: For more on this topic, see, “Litigation Support for Information Governance Protection of Personal Identifiable Information Is Not a Matter to Be Taken Lightly ' Make a Plan,” in the May 2012 edition of e-Commerce Law & Strategy, at http://bit.ly/PJtOuL, and for more on European Union standards, see, “New European Data Protection Regulation Draft,” in the April 2012 edition of e-Commerce Law & Strategy, http://bit.ly/HVkiAS.)

Following Up

Inevitably, responses to the questionnaire will raise additional questions, which is where the follow-up interview comes in. Personal interviews with executives and employees responsible for handling personal data within an organization allow for a deeper dive into the whys and hows of personal data processing. For example, the questionnaire may reveal that the human resources department is retaining employee information for years after an employee has left the company, but cannot explain the rationale for such retention. Well, the rationale can be explored during a follow-up interview.

The importance of the questionnaire and follow-up interview in determining compliance with data privacy policies should be obvious, but the responses are equally important in determining the adequacy of the policies themselves. Too many companies put privacy policies in place with only a dim understanding of how applicable they are to actual enterprise data flows. The questionnaire/interview responses should be geared toward making sure there is alignment between policies, and actual personal data collection and handling.

Privacy Adequacy and Compliance Matrix

The other essential privacy audit tool is a matrix that organizes the results of the audit questionnaire, and the review of an organization's privacy policies and procedures. The format for this matrix I have found most useful is a table with the following headings:

  • Privacy principles. State the specific privacy principle (likely required by law) the organization is seeking to achieve.
  • Description. Describes the privacy principle in some detail.
  • Documented policy. References the organization policy (with citation to a specific section) that is intended to satisfy the privacy principle. If no documented policy exists, then that should be noted.
  • Compliance with principle. Describes whether the organization is complying with the principle and the related organization policy.
  • Gaps/weaknesses. Any failures of the organization to abide by the privacy principle and related documented policy can be noted.
  • Notes. Indicate any follow-up tasks.

In deciding what privacy principles should be achieved, an organization need not start from scratch. There are a number of templates that can be reviewed and borrowed from. I have found the privacy risk assessment tool developed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, based on generally accepted privacy principles, to be especially helpful for this purpose. In the European Union, some national data protection authorities have issued their own auditing guidelines. For instance, the Netherlands has published a privacy audit framework to guide the auditing process.

While an audit report should also contain a narrative of audit results and conclusions, the adequacy/compliance matrix provides a
convenient method for compiling the results of the privacy audit in easily understandable form and for ready reference. Equally important, the matrix allows for ready apples-to-apples benchmarking of an organization's progress in satisfying relevant data privacy requirements from year to year.

Procedures

Assembling an Audit Team

A threshold question when preparing for a privacy audit is whether the audit will be conducted internally, by an outside audit team, or using some mixture of internal and external resources.

Several advantages of conducting a privacy audit using existing corporate resources can be easily identified, including the internal audit team, if there is one:

  • It is less costly;
  • Employees will have a better understanding of the corporate organization and activities than outsiders would have; and
  • The learning process of conducting an internal privacy audit will prove useful for corporate data privacy awareness and post-audit monitoring purposes.

A few disadvantages of using an internal audit team should be noted, however:

  • Possibly less objective and less rigorous than an independent, third-party audit team;
  • Audit results may carry less weight externally, e.g., with legal authorities if a data breach does occur; and
  • An internal audit team, unlike a “hired guns” team, will not readily be able to benchmark audit results against results of audits done in other similarly placed organizations.

In my opinion, the solution that best combines audit depth and comprehensiveness with cost-efficiency is an in-house audit team (including representatives from legal, finance, HR, IT and marketing) under the guidance of an outside privacy audit professional. That way, an organization reaps the advantages of internal institutional knowledge along with the objectivity and experience of someone with privacy audit experience.

Setting the Tone at the Top

Once a decision is made of who will compose an audit team, and an audit start date is agreed on, it is important to consider the “messaging” of the audit undertaking. As with all corporate legal compliance initiatives, the so-called tone at the top is critical.

One tried-and-true strategy is for the CEO to distribute a memorandum describing why a privacy audit is being conducted, who will be leading the effort and what participation will be required from business units. A memorandum with the CEO's imprimatur will help overcome any reluctance of staff to set aside their usual duties to support the audit. If appropriate, the memorandum should note that the board of directors is fully behind the audit.

The Aftermath

Once the privacy audit is completed, an audit report should be prepared. The audit report will include the privacy adequacy and compliance matrix discussed earlier in this article, and which will incorporate the results of the questionnaire and follow-up interviews, as well as the review of the organization's policies and procedures. The audit report should also include a narrative that addresses such factors as:

  • The methodology of the privacy audit;
  • Who was responsible for the audit;
  • Conclusions, including any identified privacy gaps and weaknesses; and
  • Recommended remedial actions, including employee training.

For purposes of closing any gaps in existing organization policies and procedures, one option would be to create a new information security/data privacy program. There may be merit to such an approach, depending on how up-to-date existing policies are and how much the organization's data processing activities have changed since the policies were put in place.

However, the organization may also find that it already has many elements necessary for a robust, up-to-date data protection program ' an acceptable use policy here, an online privacy policy there ' and can knit these disparate pieces together into a comprehensive program that requires only filling in a few gaps. Related policies can be grouped under an umbrella policy that functions as a data privacy mission statement. What is crucial is that the audit report be the basis for action, whether that action is drafting or revising privacy policies, or taking steps to ensure compliance with policies already in place.

Conclusion

In the data privacy sphere, as in e-commerce, the one constant is change. Privacy issues are getting increasingly high priority on political and social agendas as the ease with which personal data can be collected, stored, marketed and transferred globally has expanded, and the term big data has entered the vocabulary and the vernacular. One consequence has been more stringent data protection requirements and more draconian penalties for violations ' witness the European Union's proposal to impose penalties for violating the EU Data Protection Directive of up to 2% of a company's global annual turnover.

In this environment, the protection of personal data is paramount. Conducting a data privacy audit allows a real-time assessment of how well an organization is living up to its data protection legal obligations as well as how well it is meeting the expectations of its customers, its employees and others. Such an audit simply makes good business sense and need not drain corporate resources, financial or otherwise.


Michael L. Whitener is lead counsel, technology & communications, at Clearspire Law (www.clearspire.com). He is a certified information privacy professional (CIPP/US and CIPP/G). Whitener can be reached at [email protected].

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.